Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10-11-2021 02:29
Static task
static1
Behavioral task
behavioral1
Sample
d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
Resource
win10-en-20211014
General
-
Target
d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
-
Size
365KB
-
MD5
667df7fcbe531eb97d1519444b96dae6
-
SHA1
405dcd089ac54417b9ba61900d6da288b72aa325
-
SHA256
d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4
-
SHA512
7b546655bec035e489d22b56bb9598f3f42eb65d4d229acb0dbbe7594486f68861e262f8bff2dd17d8b61a3e1ac3bc35281815688d29a1c23ae6f9e0f1b8a918
Malware Config
Extracted
redline
1132044836
185.183.32.184:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-118-0x00000000023F0000-0x000000000241E000-memory.dmp family_redline behavioral1/memory/2868-120-0x0000000005030000-0x000000000505C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exepid process 2868 d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exedescription pid process Token: SeDebugPrivilege 2868 d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe"C:\Users\Admin\AppData\Local\Temp\d62977ecf32ffc5e2876ffb87943022e3cb28172154a580ea3bc3f1ae26f91a4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2868-116-0x0000000000730000-0x0000000000769000-memory.dmpFilesize
228KB
-
memory/2868-115-0x00000000006E0000-0x000000000070B000-memory.dmpFilesize
172KB
-
memory/2868-117-0x0000000000400000-0x0000000000465000-memory.dmpFilesize
404KB
-
memory/2868-118-0x00000000023F0000-0x000000000241E000-memory.dmpFilesize
184KB
-
memory/2868-119-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/2868-120-0x0000000005030000-0x000000000505C000-memory.dmpFilesize
176KB
-
memory/2868-122-0x0000000004B22000-0x0000000004B23000-memory.dmpFilesize
4KB
-
memory/2868-121-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2868-123-0x0000000004B23000-0x0000000004B24000-memory.dmpFilesize
4KB
-
memory/2868-124-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2868-125-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/2868-126-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/2868-127-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2868-128-0x0000000004B24000-0x0000000004B26000-memory.dmpFilesize
8KB
-
memory/2868-129-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/2868-130-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/2868-131-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/2868-132-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/2868-133-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/2868-134-0x0000000006D90000-0x0000000006D91000-memory.dmpFilesize
4KB
-
memory/2868-135-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/2868-136-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB